The only thing you need to know about wireless security is that you cannot perimeter-ize it. Wireless technologies are not something that stop at any traditional network boundary, so you cannot concentrate your security efforts for wireless at the boundaries.

Instead, you must spread your security nets wide. You must consider and protect every device with a wireless network card: every wireless access point, every computer, every handheld, every bit that travels your network bandwidth, every user, and everywhere they go. You have to do this, lest others attack them and, defenseless, they become a playground for merciless marauders, free and open conduits right into your internal network, which then becomes a vast information treasure trove for your competition.

To help you, I've prepared a list of best practices for each of these in part two (see below); but first, a little background:

Wireless security features

Two factors determine which wireless security features are present. These factors are the network mode and the IEEE standard. While additional add-on applications and devices exist that can broaden security choices, if you don't understand the current limitations of most wireless devices, you won't know which, if any of these, may benefit you.

Wireless LANs can exist in either ad hoc (peer-to-peer) or infrastructure (all wireless devices must connect to an access point) mode. In ad hoc mode, clients communicate directly with each other. Say two of your employees, Alice and Bob, set up their own wireless, ad hoc wireless LAN. Alice can expose unprotected applications, shares and other things on her system, to Bob. Unfortunately, they're exposed to just about anyone else with a wireless card. Congratulations, you just regressed your carefully constructed Windows 2000 Active Directory infrastructure to Windows for Workgroups. (It's not hard. XP automatically and by default will configure itself to find and connect to a wireless access point if any exist and, if none exist, it puts itself in ad hoc mode, so little intelligence is required to set things up.)

Infrastructure-mode wireless LANs use a central access point (AP). The AP is slightly more intelligent than a hub. So if Alice wants to visit Bob's cubicle and still remain connected to the corporate LAN, she can buy an AP and put it under her desk. Instead of connecting her laptop to the provided LAN jack, she connects the AP to the jack. Of course, Alice and Bob must configure their client to point to the AP network instead of to each other. Since they won't be using a cable, they use the network name or SSID of the access point. But the SSID is not a security feature, since many wireless LANs stay at well-known factory defaults and many APs broadcast the SSID. Worse, SSIDs often get out through word of mouth, and Internet-based directories of SSIDs and locations exist. In fact, Alice can probably purchase an AP that works right out of the box with no configuration at all.

So where's the security in all this? The answer depends on which wireless standard(s) are implemented in your hardware and software.

While several emerging wireless standards exist, there are three that you are most likely to find in the current market: 802.11a, 802.11b and 802.1x. The oldest is the 802.11b standard, and most wireless LANs meet it. The next one, 802.11a, is faster, but you cannot mix and match 802.11a and 802.11b hardware and software on your wireless LAN. 802.1x is an authentication standard for 802.11 wireless LANs, but it requires additional hardware and software for its implementation.

Security, for most 802.11 wireless LANs, means device authentication (not user authentication, and this is important) and Wired Equivalent Privacy (WEP) encryption, both of which normally use the same key. Authentication can be set to open system or shared key mode.

The first of these, open system authentication, doesn't really authenticate anything; any client can request a connection and get it. And because authentication in 802.11 is device authentication, an attacker doesn't need a valid user ID and password on your network to gain accesses to the wireless LAN. Shared key authentication is somewhat useful because, to connect a system, an attacker must know the shared key. This shared key is often also used for encryption.

WEP encryption has been tested and found lacking. Researchers found that, because of a flaw in WEP's implementation, easily mounted attacks can discover the key and thus enable decryption of the data. Free cracking tools exist on the Internet. Changing the keys frequently might foil such attacks, but there is no key management in 802.11, so key changes mean manual updates to systems that may be widely distributed.

If Alice and Bob's company implemented 802.1x-compatible wireless equipment and software, there would be more choices for the protection of the LAN. Not only does the 802.1x standard define restricted wireless-network connections, it also provides for mutual authenticated access (client-to-network, network-to-client), centralized user identification, dynamic key management (per-user and per-session, with the ability to change keys dynamically) and accounting services (who logged on when, and so forth). In addition, there is no need to dedicate the RADIUS server to protect only wireless access; it can also support wired Ethernet network access. Hurrah! You're back in the world of modern systems.

In a Windows 2000 network, you can use Internet Access Services (IAS) server. It's built in to Windows 2000, but it must be installed and configured. Windows XP provides a native 802.1x client that can take advantage of this setup. Authentication can then happen via Extensible Authentication Protocol (EAP). This protocol defines basic authentication processes common to most authentication protocols and allows administrative choice of supported add-ons. For Windows 2000 IAS, supported protocols are EAP-TLS (EAP with Transport Layer Security, an IETF standard similar to SSL), Protected EAP (PEAP) with EAP-TLS, or PEAP with EAP-MS-CHAP. PEAP is designed to make up for the deficiencies of EAP, which does not protect user identity and negotiation processes; EAP also does not address the issue of key exchange. TLS versions of this protocol require the use of certificates, while PEAP with EAP-MS-CHAP uses passwords.

Any of these protocols is a huge improvement over a simple shared key, or no authentication or encryption at all. Another of their byproducts is the ability of 802.1x to partition the wireless LAN. When a client requests authentication, its access to the wireless LAN is restricted to the access point until it has been authenticated. You can think of an 802.1x-enabled AP as if it were a simple switch, one with two ports: one for unauthenticated services, the other for authenticated ones. When Alice attempts to connect to the network, her client communicates on the unauthenticated port. If she supplies appropriate, valid credentials, her system can then communicate on the authenticated port and access the rest of the wireless and wired network. If Bob's system has not been updated, it never even connects to the authenticated port on the AP, let alone get access to the rest of your network. Keep this in mind, however: both access point and client must support 802.1x, and you must configure IAS or another compatible RADIUS server. You must configure them correctly or, as in many similar situations, the security gains of 802.1x can be lost.

In part one of this article, I told you that you must evolve wireless security on all fronts. It does little good to harden one area of your system only to have something untoward happen in some other area. And the holes, or potential holes, are legion.

This sounds like a daunting task, but the good news is that you may already have much of your security in place. Here are the steps to a more secure wireless LAN.

Host systems: You have specific security technologies for host protection, and you have to apply them. Unfamiliarity with wireless technologies doesn't mean you needn't apply sound security practices to your network, your user community and especially the host systems themselves.

Think untrusted network!

You wouldn't put Windows clients or servers unprotected on the Internet, so you shouldn't expose them to a wireless network either. Specifically, remember to harden NTFS and registry permissions, not to use the FAT file system, to use group policy to apply strong account policies for accounts (local account databases exist -- they need strong account polices as well), to reduce user rights and to set security options that protect the system. Consider using the user access right to the system from the network to establish a group, say the local administrators group, that will be the only group able to access this computer from the network. If the host is a server, consider establishing a group that includes only those who should be connecting to it. Remember also, if wireless networks open holes to your internal network, it may be time to implement those host-security lockdown policies for all machines, not just those with wireless network cards. A good guide that teaches host-based security is the Microsoft Security Operations Guide.

Finally, remember that when Alice connects her computer to an access point (AP), it's the same as if she had cabled it to a hub; she's on a LAN with every other wireless networked computer that has a connection to the AP. A personal firewall on Alice's computer will go a long way toward protecting her system. Alternatively, you might consider an IPsec policy that allows only approved protocols in to and out of Alice's machine.

Network defense: Unless the wireless LAN is self-contained -- a small network in a meeting room without Internet connections, for example -- the AP is connected to some network. It serves as a bridge for wireless clients to enable their connections to your local wired network. So think of it as just that -- a bridge from "untrusted" to "trusted." It's not that you should immediately consider all wireless users in your organization untrustworthy; it's the unwanted connections you want to avoid. To do so, use 802.1x where you can, and set up a VPN where you can't. That way, "Ian the Intruder" may be able to make a connection to the AP but will not be able to access your network, because he cannot provide appropriate credentials to either the VPN or the RADIUS server.

You may also consider setting up a firewall. Just remember that placement is important here. If a single firewall is available, you don't want to put the firewall between the AP and users attempting to connect to it. Instead, you want the firewall between the AP and your internal network.

Wireless LAN configuration: Use 802.1x if it's available. If it's not, configure WEP. Yes, the protocol is crackable, but it still can provide a reasonable speed bump to would-be listeners. Those cracking programs have to capture a lot of data before they can work, and not every wireless script kiddie will have the tools or the patience to use them. It's like the locks that most of us have on our front doors. No serious burglar has a problem getting past them, but we still lock our doors, because we know we're going to keep most people out, and because it doesn't take much effort to turn the latch as we exit the house.

Unlike your door lock, WEP can even have its keys changed easily -- and you should have them changed. I know that doesn't scale well, but think of the tons of small businesses that have only a few legitimate clients -- places where expensive third-party tools or new hardware and software are out of the question. Change the SSID from the factory default, for goodness' sake!

If you can, turn off the SSID broadcast. Users who need to connect should know the SSID or have it preconfigured in their clients. If you can, configure clients with static IP addresses and turn off DHCP (dynamic host configuration protocol) on the AP. Don't give the attacker a free address on your network. Where DHCP must be used, limit the scope to the number of clients you have. Why provide extra addresses for would-be attackers? Reserve addresses for specific systems if you can. Require a MAC address for access. Granted, MAC addresses can be spoofed, but first an attacker has to determine which MAC addresses are legal. That's not going to be easy for most people.

Use data encryption on the files stored on the host. If an attacker does get past your defenses, that makes it harder for him to get any useful information. Just please, please, read the information about saving encryption keys, and then follow through -- save the encryption keys to avoid data loss.

Special protection for mobile systems: One aspect of wireless security that few people are bothering to address is the hazard of toting a wireless network card-equipped laptop, PDA or other device. Wireless APs are appearing in airports, coffee shops, convention centers and other public gathering places. In addition, many private APs are connect-able from public places. Who's to judge whether all users connecting to these APs have the best of intentions? When users access these stations, they expose their systems to intrusions. Strong host protection and a personal firewall are the bare minimum that should be enforced here. In addition, pay special attention to the configuration of the client. Windows XP, for example, by default, automatically attempts to locate a nearby wireless LAN and discover the necessary information for configuration. An attack could be in progress and result in a successful compromise long before the user even knows the system is available. If possible, turn off wireless cards when users are not at their home offices or when they can connect to "friendly" APs.

And, if users must access networks in hazardous territories, have them carry an extra hard drive, one that is configured with a locked-down OS and little else. Users can surf the provided facilities and access the Internet, but no corporate data is exposed on their systems. This is actually a technique used by security gurus at security conferences; they want to see what's going on, but they don't want to compromise their systems.

User education: Don't forget that a lot of your problems with wireless security will come not from managed APs and locked-down hosts but from rogue APs hidden by users under their desks, or provided by individual departments in conference rooms. You should, of course, be monitoring for these systems, but user education can prevent their implementation. Knowledgeable users are your best frontline defense. If they have an appreciation for the risks and know how to mitigate them, I think you'll find them willing participants.

You should also have a security policy that addresses the issue of who implements a wireless LAN and what its minimal configurations should be. Still, you're going to need to keep an eye out for them and rip them out of your network when found.

Don't be tempted to think that, if you follow these recommendations, you'll have secured your wireless infrastructure. Nothing could be farther from the truth, for two reasons. First, technology is just changing so fast that you could let the security gap widen because of lack of knowledge or complacency. Second, other wireless technologies exist and require their own security standards, and you'll have to be aware of them. But that is a subject for another time.

I do disagree on one point because I've successfully done this with commercial hardware/softare.

Quote:

The only thing you need to know about wireless security is that you cannot perimeter-ize it. Wireless technologies are not something that stop at any traditional network boundary, so you cannot concentrate your security efforts for wireless at the boundaries.

Yes it does leak out of physical boundries, thats not my point. The signal radius can be reduced using a couple different methods. I'm not saying this is where your security should stop, just this is one factor in many of security you can control. Methods are basically dialing down your output then using more than one wireless cards to re-survey your physical site or by reducing the ability of your antenna to produce the expected output and again re-surveying your physical site.

I forget the model number but Cisco Aironet AP has a feature to dialdown your output signal. I would assume other mfg's may also have the same option, the low end AP don't. (Linksys, Netgear, Dlink, SMC and the like) This was as of last summer so maybe a few more do.

The other homemade trick(s) is to insulate you antenna with electronic insultation. i.e electrical tape, chicken wire that doesn't cover the entire antenna etc... these either block or disrupt the output signal. Hence the chicken wire sounds nuts but you'll read about it in your manual if your building has plaster walls it may have been installed with wire mesh which screws the signal strength and quality. It's even in the Linksys manual

is that you cannot perimeter-ize it. Wireless technologies are not something that stop at any traditional network boundary

With the aid of WLAN switching hardware it is entirely possible to aggregate all wireless traffic into a single point. And that point can be made as secure as any wired LAN if the time is taken to do so.

WEP is not the only answer to the problem, I lack the patience to address any of the security specifics that I currently use on our WLAN only that I am using an Aruba 5000 at the head end...but I do sleep at night knowing that there arent more then a dozen in the world that could get thru. And those dozen arent going to bother with my piddly data.

Another thing I will point out, a bit cliche but...you get what you pay for...most of the time.

seems to me that several important things were left out... i was about to post it somewhere else, though i think it would be better placed here... so...

Quote:

I will try on this subject to provide a small handguide on how and where you should pay notice and , even, apply more attention on securing a wireless network. Beside now my references to some simple and basic points on wireless infrastructure , I take for granted that basic knowledge and skills on TCP layers are there and wont extend on an analysis for them.

Object:
Build a home network with a DSL connection to the web , by using a modem and a wi-fi router. House is considered to be a third floor building and has some , hard to cover areas , which include an elevator. Building is considered to be , in an area, well known for war-driving incidents , with medium skilled attackers. In addition to this , there are near by flats and building , where some people can maintain a constant contact to your broadcasting devices, as they are in their range.

Devices:
Two APs , one WIFI router, along with specific wireless NICs of incompatible chipset (all capable though to work on 802.11g protocol). There are also 3 notebooks and one desktop with Linux distribution , installed which will work as a web server , to provide a site for the DSL connection , which is carrying a static IP address.

Beginning:
No matter how used are users to install , immediately devices on place , this is considered to be a wrong move and might become the cause of future tampers with wireless networks.
The first move should be to draw a paper with all the rooms of the building, along with all the areas that might cause , problems to the broadcasted signals. For instance the elevator tube which is metal and can cause reflections for your signal. An obstacle like this , could lead you to place an extra , signal expander to make the network available for users behind that area.

Now with this drawing in hand , you are going to select where to place access points and this router of yours. The best way to place them , is to think like in wired cases. Best way to provide , network broadcasting and services , in a wired environment is to setup a DR (Data Room) at the near middle of the building (second floor)
. Now , opposed , to the logic of the wired plans , as to setup this router, to the center of the second level , you should better prefer to install it , near the outside wall of the building , near a window.
Why?.... that will lead to the second stage of this action… by the time you will install the rest of the devices (APs) you should place them , at the direct, opposite wall, near a window , in order to get the best signal available , for all areas in building.
Always, now keep in mind that signal for wireless connections , are altered by obstacles , like multiple walls and power sources (e.g. wireless phones, microwave ovens , etc.)
Home devices are also broadcasting in circular waves , on a horizontal level , so think of it as a stone , thrown into a lake and the ripples made by that action as your waves. This is where your drawing takes major importance on how to locate , maybe a signal loss, due to an aboved mentioned ,obstacle.

Maximum ability of broadcasting signal now, especially since we are talking about incompatible chipsets on devices, should be considered at 11Mbps (ideal circumstances) to a range of 30 meters with no walls or other obstacles present. If any of the above cases , is not right, then you will experience a signal loss , which will grow in a significant way, if more than one cases , of the ones above , do not match to provide ideal connection.

If now by any chance you will notice that , there is an obstacle , that is not possible to overcome or remove (e.g. elevator) then you will be forced to pay , maybe a 80-100$ , to add an expander , for your network. Notice here that even though , it will be hard for someone to think that he might need to add six expanders in a row, i have to say that , only 3-4 will work in sequential connection , so do not , get over this number of installed devices.

Second stage.

I will not get much into on how to setup a wireless network, since it is easy to find a howto guide, all over the web, by just using Google , and adjust TCP-IP settings and workgroups. What will trouble us here is the next step on how to configure your wireless router, for security setting , while you are thinking that this is a wireless network , where almost anyone , in range, can access your broadcasting signal.

Router:

You have selected a proper range of private IPs (e.g. 10.0.0.1-254) and establish a web connection , by using the DSL modem of yours , with a static IP assigned for gateway (e.g. 10.0.0.1). How can you secure , now this network?

1) Count down all terminals in your network and re-adjust the pool scope of your DHCP settings for your network. For example , if the number of your terminals are 4 (in our case), then assign a scope for IPs , for the exact match of them. For example in our case, DHCP should be setup , with the following range: 10.0.0.3-10.0.0.6. You might have noticed that the IPs given are increased by one , to the first ip , at the last octet.
Forgot to mention that router should also be assigned with a static IP (10.0.0.2) in order to avoid conflicts and TCP collisions, while the terminals try to fin a gateway for their packets. By re-adjusting now the scope , you have limited down possibilities for an intruder to be assigned with an IP available, since all of them will be used by your terminals. He will then , have to use IP spoofing methods or man-in the-middle attack, which will be blocked if you use the next security measure.

2) MAC filtering. All NICs are assigned with a unique hardware address , which can be used as a proper way to identify – authenticate and authorize , use of network resources. In order to see your wireless NICs MACs , you can use the typical command of ipconfig /all or just check the back of your NIC , to see it. Set them in the proper fields of your router, in order to make a local filtering table for your terminals. Even now if the attacker is going to use an IP spoofing method, he will also need to make a successful attempt with ACK-ARP packets to bypass the MAC filtering protection.

3) Reserved mapping ports. Even though, this is “touching” the matter of NAT configuration on TCP layer , it is a very good method to block or even filter , specific ports for your network, in order to always maintain a control over your broadcasting/receiving ports for your network. You can always read a TCP-IP book or FAQ to learn how to set them up. For our case we are going to make a rule for UDP packets , in order to filter Name services (DNS).
Eg. UDP packets – Any internal => Destination port 53 => Destination == 0.0.0.0 (Where this IP is the local gateway for your router)

. This rule now , will forward any UDP packets from port 53 to the outside world. So , if an attacker will try to commence a DNS attack ,he will not be able to fake a DNS node , as all packets will be redirected to the Gateway. Of course this is very simply explained and you will need to establish additional rules to make this valid, but as i said , we will not expand on TCP settings , here.

4) Key encryption. In the recent years of use for 802.11b , WEP (Wired Equivalent Privacy) was used to encrypt the broadcasting signal and even today , you will propably meet it on a local WLAN.
However I am not recommending WEP usage. It is very simple to decrypt it and find out the key used. (will expand later on this). I will suggest to use WPA or WPA PSK.(Pre-Shared Key) which is much more harder to decrypt , due to the randomization of its key broadcasted. WPA2 is also available since the ends of 2004 , but I do not think that it will be essential to use on a simple home network, unless you think that you have something , very important to protect and increased security is the thing you want.

Wireless Security.

So far we have talked on how to configure your router on a TCP basis , to cover potential bugs and vulnerabilities in your network. But this is a wireless network and besides securing your packets , there are also , some additional ways to establish a secured range of signal for your LAN.

a) WEP. This method of encryption and protection is used in wide range for home networks. Most of the people are using 64bit keys , which are set with hexadecimal or alphanumeric keys. AES is the standard encryption used today instead o the RC4 algorithm used in the past. However this method is easy to get compromised with a sniffer like ethereal , which will capture the packets and you will only need a hexadecimal converter , to decrypt the key. More details on how to do this will be following.
b) SSID filtering. Service Set Identifier , is a way of joining a wifi network (e.g. like workgroup on terminals and networks) since both AP , NICs and Router will need to have the same given in their settings, for them to be part of this WLAN. Most of the wifi devices today , have an option , to disable broadcasting of SSID.
Use it, but do not take it as a security measure. It is only a way to make an attackers life harder , as to find how , he will be able to intrude to this “unknown” network he has discovered. Believe me an uknown wi-fi network (no SSID broadcasted) combined with WPA encryption will discourage 95% of the attackers.

c) WPA. This method of encryption today prevails , and it suggested to be used on machines with wifi abilities. It is very different on its usage , compared to the one WEP has. It is broadcasting 128 bit keys (in WPA2 – 256 bits) and it can be used in randomization if you are going to use it , on Enterprise mode. But in those cases, you might meet also RADIUS authentications or even WiFi DMZ over VPN…and the list goes on… as i said, security depends on the network needs. I find it very hard , for a home network to be in need , for implementing such procedures.

d) Physical Security. Since we are talking about wireless devices , we have to keep in mind that the main reason for developing and implementing such a WLAN is to gain mobility and flexibility.
By logical sequence , this leads to , more and more smaller devices. As humans we tend to lose small objects , or forget them to place where some can access them in a physical way. So you will always need to protect them with strong , random alphanumeric passwords , if they are PDAs , notebooks, etc.
What is harder though today to protect , are Bluetooth sticks which are using MAC addresses and can store SSID, WEP-WPA keys and can cause hazards to your network. For them , there is no standard way of protecting them , than the standard and common logic. Place a cord on them , store them in something that you will not forget.(e.g. wallet, cord attached to your key chain, etc.)

Conclusion.

I know that some of you might got tired of me , mumbling on wifi networks setup, but it is essential to set them here, as I need to proceed to the next step , which is WiFi attacks and a HOWTO for them…. Patience now… all good things , need some time to occur.

to be continued...........

sorry for the "to be continued" remark, but as this article is supposed to be continued in my personal site and group , there is no progress yet to add....

Second part of this tutorial , would be all about how to find and use security bugs and methods , for auditing and even penetration testing , in your OWN WLANs. Remember that GHG is not responsible , if methods and details here will be used by people for malicious purposes. This text is offered , for education and testing purposes only.

Goals to achieve.

Keep in mind that , wireless networks , are communicating over thin air, so every action that is taking place for wired environment networks, will be happening , also here for sure, but maybe via another way. So , by taking this under consideration , proceed to the next step.

Most of the above are already familiar as terms to people who are into , pen testing and auditing for typical and standard networks, in wired environments. They also know that they will need several tools to make this effort real and successful. In WLANs , now , which tools should be useful to have?
Well , the answer is not so “typical”… the best way is to find tools which will be able to provide services for:

For the first pack of services, you will have to trust Kismet and Netstumbler. They are both easy to find on the web , and they are free of charge. My selection though would be kismet , due to its potentials and abilities , along with the plus service to , discover fake made , APs by software like Black Alchemy.
But enough theory…go into action.

You are either positioned opposite of the building in the project , or into a car , commencing a war-driving attack. As Wi-Fi networks are not limiting their broadcast on their own , unless you have planned them to do so (omni/direct directional antennas) then you might discover an unknown wi-fi network near you. Now , I know that most of you , would think that for such a job , Linux & UNIX would be a better choice for this effort. Actually this is where Gates , is revenging TUX. Windows, due to their automatic way of discovering networks and direction to help users, they will be much more helpful on this one. Unless you are proud owners of a MacOS-X notebook with airport abilities. In that case you will , experience both, ease of use and in depth abilities of the system to use , via a UNIX terminal, for this. My suggestion though would be to use Windows , preferably XP pro.
Use a networking card for Wi-Fi , installed via PCMCIA. Avoid using internal wi-fi cards, due to their limited range , as they are placed inside a box, usually at the bottom of the notebook. If you are lucky enough to have a GPS software installed , engage that too, while probing. It will be of great assistance to provide you with help , on where exactly is this signal coming from.
In case you are in a car, remember to stay in dark corners and not in front of the building’s door. Try to not attract attention. Notebooks might do this. Prefer to use PDAs and Smart phones with wi-fi abilities. They are easier to hide and if they are of the “new breed” they will probably have GPS installed already.

The beginning.

Attack No1…

Use an AP of your own…No i am not making fun of you. I am being dead serious. If there is a network near by, use an access point of yours with no setting at all on it. SSID feature is broadcasted every 10-30 seconds by devices, for keeping connected to the WLAN.
Your AP will “catch” this signal and re-transmit it , to your area. You will have your own node to experiment on. Do not use your http management for your AP , as to have access to its logs and of course any transmitted packet send to it. Usually these packets include MAC addresses , SSID and the encrypted key for the network and I know that they are a “treasure”.

Use an RS-232 and do not connect by any TCP service to the AP. If you use TCP, then your terminal will be announced in the network (since your AP is now a part of it) and an admin will be able to notice you. Remain invisible and monitor all traffic via console and your cable. By the time you will have all details needed , then proceed to penetrate the network. Methods then , you can use are similar to the ones used in wired LANs.. Use ethereal & ettercap to capture passwords, analyze services and in general packets of the network , announced.
How to counter-act, if you are the admin of the network?
Use fake devices of your own , made with software, or simply placed with fake settings to confuse intruders. By the time they will figure out, that they have been fooled , they will have been exposed to your sniffing and auditing tools.

Attack No2…

RF jam attack. All wi-fi devices are probing for networks every 10-30 seconds. What you need to do , is to use a software and a directional Antenna to produce an RF jam (kinda like DoS) to block for the wished time , this wi-fi network, on the broadcasted channel.
By the time you do this, all wi-fi devices, will search for a transmitter to engage with. Use your notebook to setup one. Use the WinXP abilities to connect via ad-hoc to other networks. One or more computers will most probably , connect to your machine and might use ARIPA for assigning IP addresses to the nodes of this network. You will then have access to a specific terminal in this network and able to enumerate shares, decrypt passwords and even gain access to several files, if you are good enough with nmap and ethereal. For sure you will have a computer name , account and password to connect to the legal Wi-Fi network , as soon as you drop the RF-jam signal of yours and all communications for the building will be restored.
(details: Power Signal Generator for RF jam => www.ydi.com)

Attack No3…

Check for War-Chalking signals. You might encounter them , on front doors or near by walls.
e.g
)( = open node with SSID broadcasted. SSID might be written on the wall on top of the signal.
O = Closed node with SSID not broadcasted
O with a W in the middle which means protected node with encryption and probably SSID hidden.

I wont tell you what to do with the first two , as it is pretty easy to do what you know best with them. I will elaborate though on the third. Use Kismet and AirSnort. They are both usefull programs which are able to sniff, capture, analyze and finally decrypt all packets found on thin air. Remember to not attract attention while doing this. My best advice , is to stay for 3-4 minutes there and then take the data given with you at home and analyze them. If you wont get the private key in this time, (WPA2 and WPA tend to harden things up) , retry once or twice. If you still can not do it, just forget it. Go somewhere else ,cause there is a case , that someone might have noticed your continuous physical presence there.

Attack No4…

Hijacking attack. This is clearly an expansion to the first attack , where you are using a rogue device to make your way into this network. By the time your AP, is a part of this network then you can easily extract significant data on how to setup an Access Point , for this WLAN, on your netbook , with a software like Proxim Orinoco. There you can do the following combined…
Use an RF JAM device and block again , by selecting the channel where the authorized access point is broadcasting. Engage your notebook with the same settings used (from your captured packets) as a wi-fi switch (by using the Orinoco software) but on a different channel. Suddenly you are the main node for all incoming packets and the main gateway for all networking transactions for this WLAN!!! As you can imagine with a free software like ethereal , on your notebook, ….ehm…lets just say, that you can discover even what kind of “underware” is the admin wearing. Especially if this AP is the only device , between terminals, and a web proxy or gateway… you can limit your actions , only with your IT-Hacking imagination.
How to counteract to this?... Use VPN or to be simpler, on this one, do not use DHCP settings on your wi-fi APs. The whole success to this attack is to impersonate , a DHCP server , from a rogue device and stand as authorized machine to the clients. If the DCHP server is set on a desktop server, and MAC address is marked to the scope pool as bind to the leased IP , then the attacker will have a hard time on spoofing this. Not to mention that if there would be an ARP/ACK attack , all leds and alarms on your firewall , will go crazy.

Wi-Fi attacks?..sure… but Wi-Fi is not functioning only on NICs and APs.. It is also working on Bluetooth devices which are “in fashion” recently. They are able to use MAC & IP address to connect to WLANs. If now an expert administrator, considers their small size, mobility and ease to install , almost on any terminal, then he will have his hands full on how to fight back this one.
Bluetooth devices, are configured mostly in automatic ways (some of them via software) and can connect easily to wi-fi networks with minimum security (No WPA present). Imagine now , a person (visitor or guest, there for presentation or other reasons) at some time ready to connect to your network , with such a device on his notebook. Especially if your LAN is set to provide DHCP-DNS by a simple entrance of the terminal on the wi-fi network , via your local AP.
How to confront such a hazard?.. Use a sniffing – auditing tool , like air-magnet, at to be able to locate all Bluetooth devices , on location and capture any traffic , from and to , them. Some times preventing things from happening, is the best cure for it.

I know now, that I have not yet completed , much of the expectations here, but in order to this , I would need , more than 3-4 pages on just presenting , what tools to use in theory and do not even touch , attack methods. So I would rely on your questions on this one, and I will wait for them , to elaborate specifically on the things you will have to say.

1) Set WLAN to use WPA or even better, WPA2. Simply select WPA-PSK with TKIP or even better, WPA2-PSK with AES and set 20+ marks long passphrases on to it.
2) Disable remote access (from internet) to the modem/wlan basestation and only allow access from LAN.
3) Disable all other accounts except administrative account on the modem/wlan basestation and set 20+ marks long passphrase on to it.
4) Set up the modem/wlan:s firewall or atleast NAT to prevent "not-so-nice-packets" coming from the internet to your computer. If you use NAT and P2P programs etc, remember proper port forwarding.
5) Give out the WPA-PSK or WPA2-PSK passphrase to anyone you want to be able to access your network and change that WPA-PSK or WPA2-PSK every now and then (lets say every months or so).
6) If some components of yours do not support WPA or WPA2, upgrade them.

We have wireless routers (min 2-3 devices over our network) and one of the routers is configured with DHCP in addition to a MS 2003 DCHP server. We were looking for a solution from quite a long time to see whether a mechanism could be implemented in order to restrict the Wireless Router DHCP scope being used to push IP addresses to devices connected to network through cables (ie, at no point this wireless router would issue IP addresses to clients without a wireless network card).
Please update

I have not been into the wireless world, except for owning couple of routers with 802.1b and 802.1g respectively, which I was using to connect my old laptop with the matching plug-in card access for use in another room. I have disconnected both routers and the laptop had been retired temporarily, until I needed it for a trip. Now I might have to use it for my only access to the Internet, until my house is repaired. I need to know which is the best way to get a secure connection at a WI-FI access, such as McD's, a State WI-FI at a rest area, or a truck stop. This will be needed to pay bills and keep up with emails. I am running Norton IS 2010 as it's firewall and antivirus. What is the best way to set up a secure connection to accomplish this? It has WinXP SP3.